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Abstract 

An  encryption  method  is  presented  with  the  novel  property  that  pnblicly  re¬ 
vealing  an  encryption  key  does  not  thereby  reveal  the  corresponding  decryption 
key.  This  has  two  important  conseqnences: 

1.  Conriers  or  other  secnre  means  are  not  needed  to  transmit  keys,  since  a 
message  can  be  enciphered  nsing  an  encryption  key  pnblicly  revealed  by 
the  intended  recipient.  Only  he  can  decipher  the  message,  since  only  he 
knows  the  corresponding  decryption  key. 

2.  A  message  can  be  “signed”  nsing  a  privately  held  decryption  key.  Anyone 
can  verify  this  signatnre  nsing  the  corresponding  pnblicly  revealed  en¬ 
cryption  key.  Signatnres  cannot  be  forged,  and  a  signer  cannot  later  deny 
the  validity  of  his  signatnre.  This  has  obvions  applications  in  “electronic 
mail”  and  “electronic  fnnds  transfer”  systems. 

A  message  is  encrypted  by  representing  it  as  a  nnmber  M,  raising  M  to  a 
pnblicly  specihed  power  e,  and  then  taking  the  remainder  when  the  resnlt  is 
divided  by  the  pnblicly  specihed  prodnct,  n,  of  two  large  secret  prime  nnmbers 
p  and  q.  Decryption  is  similar;  only  a  different,  secret,  power  d  is  nsed,  where 
e  ■  d  =  1  (mod  (p  —  1)  ■  (q  —  !)).  The  secnrity  of  the  system  rests  in  part  on 
the  difhcnlty  of  factoring  the  pnblished  divisor,  n. 
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I  Introduction 

The  era  of  “electronic  mail”  [10]  may  soon  be  upon  us;  we  must  ensure  that  two 
important  properties  of  the  current  “paper  mail”  system  are  preserved:  (a)  messages 
are  private^  and  (b)  messages  can  be  signed.  We  demonstrate  in  this  paper  how  to 
build  these  capabilities  into  an  electronic  mail  system. 

At  the  heart  of  our  proposal  is  a  new  encryption  method.  This  method  provides 
an  implementation  of  a  “public-key  cryptosystem,”  an  elegant  concept  invented  by 
Diffie  and  Heilman  [1].  Their  article  motivated  our  research,  since  they  presented 
the  concept  but  not  any  practical  implementation  of  such  a  system.  Readers  familiar 
with  [1]  may  wish  to  skip  directly  to  Section  V  for  a  description  of  our  method. 


II  Public-Key  Cryptosystems 

In  a  “public  key  cryptosystem”  each  user  places  in  a  public  hie  an  encryption  proce¬ 
dure  E.  That  is,  the  public  hie  is  a  directory  giving  the  encryption  procedure  of  each 
user.  The  user  keeps  secret  the  details  of  his  corresponding  decryption  procedure  D. 
These  procedures  have  the  following  four  properties: 

(a)  Deciphering  the  enciphered  form  of  a  message  M  yields  M.  Formally, 

D{E{M)  =  M.  (1) 

(b)  Both  E  and  D  are  easy  to  compute. 

(c)  By  publicly  revealing  E  the  user  does  not  reveal  an  easy  way  to  compute  D. 
This  means  that  in  practice  only  he  can  decrypt  messages  encrypted  with  i?,  or 
compute  D  efficiently. 

(d)  If  a  message  M  is  hrst  deciphered  and  then  enciphered,  M  is  the  result.  For¬ 
mally, 

E{D{M)  =  M.  (2) 

An  encryption  (or  decryption)  procedure  typically  consists  of  a  general  method 
and  an  encryption  key.  The  general  method,  under  control  of  the  key,  enciphers  a 
message  M  to  obtain  the  enciphered  form  of  the  message,  called  the  ciphertext  C. 
Everyone  can  use  the  same  general  method;  the  security  of  a  given  procedure  will  rest 
on  the  security  of  the  key.  Revealing  an  encryption  algorithm  then  means  revealing 
the  key. 
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When  the  user  reveals  E  he  reveals  a  very  inefficient  method  of  computing  D(C)\ 
testing  all  possible  messages  M  until  one  such  that  E{M)  =  C  is  found.  If  property 

(c)  is  satished  the  number  of  such  messages  to  test  will  be  so  large  that  this  approach 
is  impractical. 

A  function  E  satisfying  (a)-(c)  is  a  “trap-door  one-way  function;”  if  it  also  satishes 

(d)  it  is  a  “trap-door  one-way  permutation.”  Diffie  and  Heilman  [1]  introduced  the 
concept  of  trap-door  one-way  functions  but  did  not  present  any  examples.  These 
functions  are  called  “one-way”  because  they  are  easy  to  compute  in  one  direction  but 
(apparently)  very  difficult  to  compute  in  the  other  direction.  They  are  called  “trap¬ 
door”  functions  since  the  inverse  functions  are  in  fact  easy  to  compute  once  certain 
private  “trap-door”  information  is  known.  A  trap-door  one-way  function  which  also 
satishes  (d)  must  be  a  permutation:  every  message  is  the  cipertext  for  some  other 
message  and  every  ciphertext  is  itself  a  permissible  message.  (The  mapping  is  “one- 
to-one”  and  “onto”).  Property  (d)  is  needed  only  to  implement  “signatures.” 

The  reader  is  encouraged  to  read  Diffie  and  Heilman’s  excellent  article  [1]  for 
further  background,  for  elaboration  of  the  concept  of  a  public-key  cryptosystem,  and 
for  a  discussion  of  other  problems  in  the  area  of  cryptography.  The  ways  in  which 
a  public-key  cryptosystem  can  ensure  privacy  and  enable  “signatures”  (described  in 
Sections  111  and  IV  below)  are  also  due  to  Diffie  and  Heilman. 

For  our  scenarios  we  suppose  that  A  and  B  (also  known  as  Alice  and  Bob)  are 
two  users  of  a  public-key  cryptosystem.  We  will  distinguish  their  encryption  and 
decryption  procedures  with  subscripts:  Ea-,  Dat  Ebt  Db- 


III  Privacy 

Encryption  is  the  standard  means  of  rendering  a  communication  private.  The  sender 
enciphers  each  message  before  transmitting  it  to  the  receiver.  The  receiver  (but  no 
unauthorized  person)  knows  the  appropriate  deciphering  function  to  apply  to  the 
received  message  to  obtain  the  original  message.  An  eavesdropper  who  hears  the 
transmitted  message  hears  only  “garbage”  (the  ciphertext)  which  makes  no  sense  to 
him  since  he  does  not  know  how  to  decrypt  it. 

The  large  volume  of  personal  and  sensitive  information  currently  held  in  comput¬ 
erized  data  banks  and  transmitted  over  telephone  lines  makes  encryption  increasingly 
important.  In  recognition  of  the  fact  that  efficient,  high-quality  encryption  techniques 
are  very  much  needed  but  are  in  short  supply,  the  National  Bureau  of  Standards  has 
recently  adopted  a  “Data  Encryption  Standard”  [13,  14],  developed  at  IBM.  The  new 
standard  does  not  have  property  (c),  needed  to  implement  a  public-key  cryptosystem. 

All  classical  encryption  methods  (including  the  NBS  standard)  suffer  from  the 
“key  distribution  problem.”  The  problem  is  that  before  a  private  communication  can 
begin,  another  private  transaction  is  necessary  to  distribute  corresponding  encryption 
and  decryption  keys  to  the  sender  and  receiver,  respectively.  Typically  a  private 
courier  is  used  to  carry  a  key  from  the  sender  to  the  receiver.  Such  a  practice  is  not 
feasible  if  an  electronic  mail  system  is  to  be  rapid  and  inexpensive.  A  public-key 
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cryptosystem  needs  no  private  couriers;  the  keys  can  be  distributed  over  the  insecure 
communications  channel. 

How  can  Bob  send  a  private  message  M  to  Alice  in  a  public-key  cryptosystem? 
First,  he  retrieves  Ea  from  the  public  hie.  Then  he  sends  her  the  enciphered  message 
Ea{M).  Alice  deciphers  the  message  by  computing  Da{Ea{M))  —  M.  By  property 
(c)  of  the  public- key  cryptosystem  only  she  can  decipher  Ea{M).  She  can  encipher  a 
private  response  with  E^^  also  available  in  the  public  hie. 

Observe  that  no  private  transactions  between  Alice  and  Bob  are  needed  to  estab¬ 
lish  private  communication.  The  only  “setup”  required  is  that  each  user  who  wishes 
to  receive  private  communications  must  place  his  enciphering  algorithm  in  the  public 
hie. 

Two  users  can  also  establish  private  communication  over  an  insecure  communi¬ 
cations  channel  without  consulting  a  public  hie.  Each  user  sends  his  encryption  key 
to  the  other.  Afterwards  all  messages  are  enciphered  with  the  encryption  key  of  the 
recipient,  as  in  the  public- key  system.  An  intruder  listening  in  on  the  channel  cannot 
decipher  any  messages,  since  it  is  not  possible  to  derive  the  decryption  keys  from  the 
encryption  keys.  (We  assume  that  the  intruder  cannot  modify  or  insert  messages  into 
the  channel.)  Ralph  Merkle  has  developed  another  solution  [5]  to  this  problem. 

A  public-key  cryptosystem  can  be  used  to  “bootstrap”  into  a  standard  encryption 
scheme  such  as  the  NBS  method.  Once  secure  communications  have  been  established, 
the  hrst  message  transmitted  can  be  a  key  to  use  in  the  NBS  scheme  to  encode  all 
following  messages.  This  may  be  desirable  if  encryption  with  our  method  is  slower 
than  with  the  standard  scheme.  (The  NBS  scheme  is  probably  somewhat  faster  if 
special-purpose  hardware  encryption  devices  are  used;  our  scheme  may  be  faster  on 
a  general-purpose  computer  since  multiprecision  arithmetic  operations  are  simpler  to 
implement  than  complicated  bit  manipulations.) 


IV  Signatures 

If  electronic  mail  systems  are  to  replace  the  existing  paper  mail  system  for  business 
transactions,  “signing”  an  electronic  message  must  be  possible.  The  recipient  of  a 
signed  message  has  proof  that  the  message  originated  from  the  sender.  This  quality 
is  stronger  than  mere  authentication  (where  the  recipient  can  verify  that  the  message 
came  from  the  sender);  the  recipient  can  convince  a  “judge”  that  the  signer  sent  the 
message.  To  do  so,  he  must  convince  the  judge  that  he  did  not  forge  the  signed 
message  himself!  In  an  authentication  problem  the  recipient  does  not  worry  about 
this  possibility,  since  he  only  wants  to  satisfy  himself  ihai  the  message  came  from  the 
sender. 

An  electronic  signature  must  be  messa^'e-dependent,  as  well  as  si^fner-dependent. 
Otherwise  the  recipient  could  modify  the  message  before  showing  the  message-signature 
pair  to  a  judge.  Or  he  could  attach  the  signature  to  any  message  whatsoever,  since 
it  is  impossible  to  detect  electronic  “cutting  and  pasting.” 

To  implement  signatures  the  public-key  cryptosystem  must  be  implemented  with 
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trap-door  one-way  permutations  (i.e.  have  property  (d)),  since  the  decryption  algo¬ 
rithm  will  be  applied  to  unenciphered  messages. 

How  can  user  Bob  send  Alice  a  “signed”  message  M  in  a  public-key  cryptosystem? 
He  hrst  computes  his  “signature”  S  for  the  message  M  using  Db- 

S  =  Db{M)  . 

(Deciphering  an  unenciphered  message  “makes  sense”  by  property  (d)  of  a  public- 
key  cryptosystem:  each  message  is  the  ciphertext  for  some  other  message.)  He  then 
encrypts  S  using  (for  privacy),  and  sends  the  result  to  Alice.  He  need  not 

send  M  as  well;  it  can  be  computed  from  S. 

Alice  hrst  decrypts  the  ciphertext  with  Dj^  to  obtain  S.  She  knows  who  is  the 
presumed  sender  of  the  signature  (in  this  case,  Bob);  this  can  be  given  if  necessary  in 
plain  text  attached  to  S.  She  then  extracts  the  message  with  the  encryption  procedure 
of  the  sender,  in  this  case  Eb  (available  on  the  public  hie): 

M^Eb{S)  . 

She  now  possesses  a  message-signature  pair  (M,  S)  with  properties  similar  to  those 
of  a  signed  paper  document. 

Bob  cannot  later  deny  having  sent  Alice  this  message,  since  no  one  else  could  have 
created  S  —  Db{M).  Alice  can  convince  a  “judge”  that  Eb{S)  —  M ,  so  she  has  proof 
that  Bob  signed  the  document. 

Clearly  Alice  cannot  modify  M  to  a  different  version  M',  since  then  she  would 
have  to  create  the  corresponding  signature  S'  —  Db{M')  as  well. 

Therefore  Alice  has  received  a  message  “signed”  by  Bob,  which  she  can  “prove” 
that  he  sent,  but  which  she  cannot  modify.  (Nor  can  she  forge  his  signature  for  any 
other  message.) 

An  electronic  checking  system  could  be  based  on  a  signature  system  such  as  the 
above,  ft  is  easy  to  imagine  an  encryption  device  in  your  home  terminal  allowing 
you  to  sign  checks  that  get  sent  by  electronic  mail  to  the  payee,  ft  would  only  be 
necessary  to  include  a  unique  check  number  in  each  check  so  that  even  if  the  payee 
copies  the  check  the  bank  will  only  honor  the  hrst  version  it  sees. 

Another  possibility  arises  if  encryption  devices  can  be  made  fast  enough:  it  will 
be  possible  to  have  a  telephone  conversation  in  which  every  word  spoken  is  signed  by 
the  encryption  device  before  transmission. 

When  encryption  is  used  for  signatures  as  above,  it  is  important  that  the  en¬ 
cryption  device  not  be  “wired  in”  between  the  terminal  (or  computer)  and  the  com¬ 
munications  channel,  since  a  message  may  have  to  be  successively  enciphered  with 
several  keys,  ft  is  perhaps  more  natural  to  view  the  encryption  device  as  a  “hardware 
subroutine”  that  can  be  executed  as  needed. 

We  have  assumed  above  that  each  user  can  always  access  the  public  hie  reliably. 
In  a  “computer  network”  this  might  be  difficult;  an  “intruder”  might  forge  messages 
purporting  to  be  from  the  public  hie.  The  user  would  like  to  be  sure  that  he  actually 
obtains  the  encryption  procedure  of  his  desired  correspondent  and  not,  say,  the  en¬ 
cryption  procedure  of  the  intruder.  This  danger  disappears  if  the  public  hie  “signs” 
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each  message  it  sends  to  a  user.  The  user  can  check  the  signature  with  the  public  hle’s 
encryption  algorithm  Epp.  The  problem  of  “looking  up”  Epp  itself  in  the  public  hie 
is  avoided  by  giving  each  user  a  description  of  Epp  when  he  hrst  shows  up  (in  person) 
to  join  the  public-key  cryptosystem  and  to  deposit  his  public  encryption  procedure. 
He  then  stores  this  description  rather  than  ever  looking  it  up  again.  The  need  for  a 
courier  between  every  pair  of  users  has  thus  been  replaced  by  the  requirement  for  a 
single  secure  meeting  between  each  user  and  the  public  hie  manager  when  the  user 
joins  the  system.  Another  solution  is  to  give  each  user,  when  he  signs  up,  a  book 
(like  a  telephone  directory)  containing  all  the  encryption  keys  of  users  in  the  system. 


V  Our  Encryption  and  Decryption  Methods 

To  encrypt  a  message  M  with  our  method,  using  a  public  encryption  key  (e,n), 
proceed  as  follows.  (Here  e  and  n  are  a  pair  of  positive  integers.) 

First,  represent  the  message  as  an  integer  between  0  and  n  —  1.  (Break  a  long 
message  into  a  series  of  blocks,  and  represent  each  block  as  such  an  integer.)  Use  any 
standard  representation.  The  purpose  here  is  not  to  encrypt  the  message  but  only  to 
get  it  into  the  numeric  form  necessary  for  encryption. 

Then,  encrypt  the  message  by  raising  it  to  the  eth  power  modulo  n.  That  is,  the 
result  (the  ciphertext  U)  is  the  remainder  when  M'^  is  divided  by  n. 

To  decrypt  the  ciphertext,  raise  it  to  another  power  d,  again  modulo  n.  The 
encryption  and  decryption  algorithms  E  and  D  are  thus: 

C  =  E(M)  =  (mod  n),  for  a  message  M  . 

D{C)  =  (mod  n),  for  a  ciphertext  C  . 

Note  that  encryption  does  not  increase  the  size  of  a  message;  both  the  message 
and  the  ciphertext  are  integers  in  the  range  0  to  n  —  1. 

The  encryption  key  is  thus  the  pair  of  positive  integers  (e,n).  Similarly,  the 
decryption  key  is  the  pair  of  positive  integers  (d,  n).  Each  user  makes  his  encryption 
key  public,  and  keeps  the  corresponding  decryption  key  private.  (These  integers 
should  properly  be  subscripted  as  in  n^,  e^,  and  d^,  since  each  user  has  his  own  set. 
However,  we  will  only  consider  a  typical  set,  and  will  omit  the  subscripts.) 

How  should  you  choose  your  encryption  and  decryption  keys,  if  you  want  to  use 
our  method? 

You  hrst  compute  n  as  the  product  of  two  primes  p  and  q: 

n  —  p  ■  q  . 

These  primes  are  very  large,  “random”  primes.  Although  you  will  make  n  public, 
the  factors  p  and  q  will  be  effectively  hidden  from  everyone  else  due  to  the  enormous 
difficulty  of  factoring  n.  This  also  hides  the  way  d  can  be  derived  from  e. 

You  then  pick  the  integer  d  to  be  a  large,  random  integer  which  is  relatively  prime 
to  (p  —  1)  •  (^  —  1).  That  is,  check  that  d  satishes: 

gcd(d,  {p-l)-{q-  1))  =  1 
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(“gcd”  means  “greatest  common  divisor”). 

The  integer  e  is  finally  computed  Irom  p,  and  d  to  be  the  “multiplicative  inverse” 
ol  d,  modulo  (p  —  1)  •  (^  —  1).  Thus  we  have 

e  •  d  =  1  (mod  (p  —  1)  •  (^  —  !))• 

We  prove  in  the  next  section  that  this  guarantees  that  (1)  and  (2)  hold,  i.e.  that  E 
and  D  are  inverse  permutations.  Section  VII  shows  how  each  ol  the  above  operations 
can  be  done  efficiently. 

The  aforementioned  method  should  not  be  confused  with  the  “exponentiation” 
technique  presented  by  Diffie  and  Heilman  [1]  to  solve  the  key  distribution  problem. 
Their  technique  permits  two  users  to  determine  a  key  in  common  to  be  used  in  a 
normal  cryptographic  system.  It  is  not  based  on  a  trap-door  one-way  permutation. 
Pohlig  and  Heilman  [8]  study  a  scheme  related  to  ours,  where  exponentiation  is  done 
modulo  a  prime  number. 


VI  The  Underlying  Mathematics 

We  demonstrate  the  correctness  of  the  deciphering  algorithm  using  an  identity  due 
to  Euler  and  Fermat  [7]:  for  any  integer  (message)  M  which  is  relatively  prime  to  n, 

=  1  (mod  n)  .  (3) 

Here  (f>{n)  is  the  Euler  totient  function  giving  number  of  positive  integers  less  than  n 
which  are  relatively  prime  to  n.  For  prime  numbers  p, 

^(p)  =  p  -  1  . 

In  our  case,  we  have  by  elementary  properties  of  the  totient  function  [7]: 

^(n)  =  (f){p)  ■  (f){q) 

=  (p-l).(^-l)  (4) 

=  n  -  (p  +  ^)  +  1  . 

Since  d  is  relatively  prime  to  it  has  a  multiplicative  inverse  e  in  the  ring  of 

integers  modulo  (f>{n): 

e  ■  d  =  1  (mod  (5) 

We  now  prove  that  equations  (1)  and  (2)  hold  (that  is,  that  deciphering  works 

correctly  if  e  and  d  are  chosen  as  above).  Now 

D{E{M))  =  {E{M)Y  =  {M^Y  (mod  n)  =  (mod  n) 

E{D{M))  =  (D{M)Y  =  (mod  n)  =  (mod  n) 

and 

(mod  n)  (for  some  integer  k). 
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From  (3)  we  see  that  for  all  M  such  that  p  does  not  divide  M 

=  1  (mod  p) 

and  since  (p  —  1)  divides  <f>{n) 

(modp). 

This  is  trivially  true  when  M  =  0  (mod  p),  so  that  this  equality  actually  holds  for 
all  M.  Arguing  similarly  for  q  yields 

Together  these  last  two  equations  imply  that  for  all  M, 

This  implies  (1)  and  (2)  for  all  M,  0  <  M  <  n.  Therefore  E  and  D  are  inverse 
permutations.  (We  thank  Rich  Schroeppel  for  suggesting  the  above  improved  version 
of  the  authors’  previous  proof.) 


VII  Algorithms 

To  show  that  our  method  is  practical,  we  describe  an  efficient  algorithm  for  each 
required  operation. 

A  How  to  Encrypt  and  Decrypt  Efficiently 

Computing  (mod  n)  requires  at  most  2  •  log2(e)  multiplications  and  2  •  log2(e) 
divisions  using  the  following  procedure  (decryption  can  be  performed  similarly  using 
d  instead  of  e): 

Step  1.  Let  e^.e^._i...eieo  be  the  binary  representation  of  e. 

Step  2.  Set  the  variable  C  to  1. 

Step  3.  Repeat  steps  3a  and  3b  for  z  =  &,  &  —  1, .  .  .  ,  0: 

Step  3a.  Set  C  to  the  remainder  of  when  divided  by  n. 

Step  3b.  If  e;  =  1,  then  set  C  to  the  remainder  of  C  •  M  when  divided  by  n. 
Step  4.  Halt.  Now  C  is  the  encrypted  form  of  M. 


This  procedure  is  called  “exponentiation  by  repeated  squaring  and  multiplication.” 
This  procedure  is  half  as  good  as  the  best;  more  efficient  procedures  are  known. 
Knuth  [3]  studies  this  problem  in  detail. 

The  fact  that  the  enciphering  and  deciphering  are  identical  leads  to  a  simple 
implementation.  (The  whole  operation  can  be  implemented  on  a  few  special-purpose 
integrated  circuit  chips.) 

A  high-speed  computer  can  encrypt  a  200-digit  message  M  in  a  few  seconds; 
special-purpose  hardware  would  be  much  faster.  The  encryption  time  per  block  in¬ 
creases  no  faster  than  the  cube  of  the  number  of  digits  in  n. 
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B  How  to  Find  Large  Prime  Numbers 

Each  user  must  (privately)  choose  two  large  random  numbers  p  and  q  to  create  his 
own  encryption  and  decryption  keys.  These  numbers  must  be  large  so  that  it  is  not 
computationally  feasible  for  anyone  to  factor  n  —  p  ■  q.  (Remember  that  n,  but  not 
p  or  q^  will  be  in  the  public  hie.)  We  recommend  using  fOO-digit  (decimal)  prime 
numbers  p  and  q^  so  that  n  has  200  digits. 

To  bnd  a  fOO-digit  “random”  prime  number,  generate  (odd)  fOO-digit  random 
numbers  until  a  prime  number  is  found.  By  the  prime  number  theorem  [7],  about 
(In  10^™)/2  =  115  numbers  will  be  tested  before  a  prime  is  found. 

To  test  a  large  number  b  for  primality  we  recommend  the  elegant  “probabilistic” 
algorithm  due  to  Solovay  and  Strassen  [12].  ft  picks  a  random  number  a  from  a 
uniform  distribution  on  {!,... ,6  —  1},  and  tests  whether 

gcd(a,  b)  —  1  and  J(a,  b)  —  (mod  b),  (6) 

where  J(a,  b)  is  the  Jacobi  symbol  [7].  If  b  is  prime  (6)  is  always  true.  If  b  is  com¬ 
posite  (6)  will  be  false  with  probability  at  least  1/2.  If  (6)  holds  for  100  randomly 
chosen  values  of  a  then  b  is  almost  certainly  prime;  there  is  a  (negligible)  chance  of 
one  in  2^°°  that  b  is  composite.  Even  if  a  composite  were  accidentally  used  in  our 
system,  the  receiver  would  probably  detect  this  by  noticing  that  decryption  didn’t 
work  correctly.  When  b  is  odd,  a  <  b^  and  gcd(a,  6)  =  1,  the  Jacobi  symbol  J{a^b) 
has  a  value  in  {  —  1,1}  and  can  be  efbciently  computed  by  the  program: 

J(a,b)  —  ii  a  —  1  then  1  else 

if  a  is  even  then  J(a/2,  6)  •  (  — 1)(^^ 
else  J{b  (mod  a),  a)  •  (  — 

(The  computations  of  J(a,  h)  and  gcd(a,  b)  can  be  nicely  combined,  too.)  Note  that 
this  algorithm  does  not  test  a  number  for  primality  by  trying  to  factor  it.  Other 
efficient  procedures  for  testing  a  large  number  for  primality  are  given  in  [6,9,11]. 

To  gain  additional  protection  against  sophisticated  factoring  algorithms,  p  and  q 
should  differ  in  length  by  a  few  digits,  both  (p  —  1)  and  (^  —  1)  should  contain  large 
prime  factors,  and  gcd(p  —  1,^  —  1)  should  be  small.  The  latter  condition  is  easily 
checked. 

To  bnd  a  prime  number  p  such  that  (p  —  1)  has  a  large  prime  factor,  generate  a 
large  random  prime  number  n,  then  let  p  be  the  first  prime  in  the  sequence  i  •  n  +  1, 
for  i  =  2,  4,  6, .  .  .  .  (This  shouldn’t  take  too  long.)  Additional  security  is  provided  by 
ensuring  that  (n  —  1)  also  has  a  large  prime  factor. 

A  high-speed  computer  can  determine  in  several  seconds  whether  a  100-digit  num¬ 
ber  is  prime,  and  can  find  the  first  prime  after  a  given  point  in  a  minute  or  two. 

Another  approach  to  finding  large  prime  numbers  is  to  take  a  number  of  known 
factorization,  add  one  to  it,  and  test  the  result  for  primality.  If  a  prime  p  is  found 
it  is  possible  to  prove  that  it  really  is  prime  by  using  the  factorization  of  p  —  1.  We 
omit  a  discussion  of  this  since  the  probabilistic  method  is  adequate. 
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C  How  to  Choose  d 

It  is  very  easy  to  choose  a  number  d  which  is  relatively  prime  to  ^(n).  For  example, 
any  prime  number  greater  than  max(p,  q)  will  do.  It  is  important  that  d  should  be 
chosen  from  a  large  enough  set  so  that  a  cryptanalyst  cannot  hud  it  by  direct  search. 

D  How  to  Compute  e  from  d  and 

To  compute  e,  use  the  following  variation  of  Euclid’s  algorithm  for  computing  the 
greatest  common  divisor  of  (f>{n)  and  d.  (See  exercise  4.5.2.15  in  [3].)  Calculate 
gcd(^(n),  d)  by  computing  a  series  Xq,  X2, .  .  .,  where  Xq  =  x^  =  d,  and  Xj+i  = 

Xj_i  (mod  Xi),  until  an  equal  to  0  is  found.  Then  gcd(xo,Xi)  =  x^-i-  Compute 
for  each  x;  numbers  a;  and  bi  such  that  Xi  —  ai  ■  Xq  +  bi  ■  x^.  If  x^._i  =  1  then 
is  the  multiplicative  inverse  of  x^  (mod  Xq).  Since  k  will  be  less  than  21og2(n),  this 
computation  is  very  rapid. 

If  e  turns  out  to  be  less  than  log2(n),  start  over  by  choosing  another  value  of  d. 
This  guarantees  that  every  encrypted  message  (except  M  =  0orM  =  l)  undergoes 
some  “wrap-around”  (reduction  modulo  n)  . 


VIII  A  Small  Example 

Consider  the  case  p  —  47,  q  —  59,  n  =  p  •  ^  =  47  •  59  =  2773,  and  d  —  157.  Then 
^(2773)  =  46  •  58  =  2668,  and  e  can  be  computed  as  follows: 
xo  =  2668,  do  =  1,  ^0  =  0, 

xi  =  157,  di  =  0,  bi  —  1, 

X2  =  156,  d2  =  1,  62  =  —16  (since  2668  =  157  •  16  +  156)  , 

X3  =  1,  d3  =  —1,  63  =  17  (since  157  =  1  •  156  +  1)  . 

Therefore  e  =  17,  the  multiplicative  inverse  (mod  2668)  of  d  =  157. 

With  n  —  2773  we  can  encode  two  letters  per  block,  substituting  a  two-digit  num¬ 
ber  for  each  letter:  blank  =  00,  A  =  01,  B  =  02,  .  .  . ,  Z  =  26.  Thus  the  message 


ITS  ALL  GREEK  TO  ME 

(Julius  Caesar,  I,  ii,  288,  paraphrased)  is  encoded: 


0920  1900  0112  1200  0718  0505  1100  2015  0013  0500 

Since  e  =  10001  in  binary,  the  hrst  block  (M  —  920)  is  enciphered: 

=  (((((1)^  •  Mffff  •  M  =  948  (mod  2773)  . 

The  whole  message  is  enciphered  as: 

0948  2342  1084  1444  2663  2390  0778  0774  0219  1655  . 

The  reader  can  check  that  deciphering  works:  948^®^  =  920  (mod  2773),  etc. 
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IX  Security  of  the  Method:  Cryptanalytic  Ap¬ 
proaches 

Since  no  techniques  exist  to  prove  that  an  encryption  scheme  is  secure,  the  only  test 
available  is  to  see  whether  anyone  can  think  of  a  way  to  break  it.  The  NBS  standard 
was  “certihed”  this  way;  seventeen  man-years  at  IBM  were  spent  fruitlessly  trying  to 
break  that  scheme.  Once  a  method  has  successfully  resisted  such  a  concerted  attack  it 
may  for  practical  purposes  be  considered  secure.  (Actually  there  is  some  controversy 
concerning  the  security  of  the  NBS  method  [2].) 

We  show  in  the  next  sections  that  all  the  obvious  approaches  for  breaking  our 
system  are  at  least  as  difficult  as  factoring  n.  While  factoring  large  numbers  is  not 
provably  difficult,  it  is  a  well-known  problem  that  has  been  worked  on  for  the  last  three 
hundred  years  by  many  famous  mathematicians.  Fermat  (16017-1665)  and  Legendre 
(1752-1833)  developed  factoring  algorithms;  some  of  today’s  more  efficient  algorithms 
are  based  on  the  work  of  Legendre.  As  we  shall  see  in  the  next  section,  however,  no 
one  has  yet  found  an  algorithm  which  can  factor  a  200-digit  number  in  a  reasonable 
amount  of  time.  We  conclude  that  our  system  has  already  been  partially  “certihed” 
by  these  previous  efforts  to  hud  efficient  factoring  algorithms. 

In  the  following  sections  we  consider  ways  a  cryptanalyst  might  try  to  determine 
the  secret  decryption  key  from  the  publicly  revealed  encryption  key.  We  do  not 
consider  ways  of  protecting  the  decryption  key  from  theft;  the  usual  physical  security 
methods  should  suffice.  (For  example,  the  encryption  device  could  be  a  separate 
device  which  could  also  be  used  to  generate  the  encryption  and  decryption  keys,  such 
that  the  decryption  key  is  never  printed  out  (even  for  its  owner)  but  only  used  to 
decrypt  messages.  The  device  could  erase  the  decryption  key  if  it  was  tampered  with.) 

A  Factoring  n 

Factoring  n  would  enable  an  enemy  cryptanalyst  to  “break”  our  method.  The  factors 
of  n  enable  him  to  compute  (f>{n)  and  thus  d.  Fortunately,  factoring  a  number  seems 
to  be  much  more  difficult  than  determining  whether  it  is  prime  or  composite. 

A  large  number  of  factoring  algorithms  exist.  Knuth  [3,  Section  4.5.4]  gives  an 
excellent  presentation  of  many  of  them.  Pollard  [9]  presents  an  algorithm  which 
factors  a  number  n  in  time  0(n^^^). 

The  fastest  factoring  algorithm  known  to  the  authors  is  due  to  Richard  Schroeppel 
(unpublished);  it  can  factor  n  in  approximately 

exp 

=  (ln(n)  )  ln(ln(n)) 


steps  (here  In  denotes  the  natural  logarithm  function).  Table  1  gives  the  number  of 
operations  needed  to  factor  n  with  Schroeppel’s  method,  and  the  time  required  if 
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each  operation  uses  one  microsecond,  for  various  lengths  of  the  number  n  (in  decimal 
digits). 

Table  1 


Digits 

Number  of  operations 

Time 

50 

1.4  X  10^° 

3.9  hours 

75 

9.0  X  10^2 

104  days 

100 

2.3  X  10^® 

74  years 

200 

1.2  X  10^2 

3.8  X  10®  years 

300 

1.5  X  10^® 

4.9  X  10^®  years 

500 

1.3  X  10^® 

4.2  X  10^®  years 

We  recommend  that  n  be  about  200  digits  long.  Longer  or  shorter  lengths  can 
be  used  depending  on  the  relative  importance  of  encryption  speed  and  security  in 
the  application  at  hand.  An  80-digit  n  provides  moderate  security  against  an  attack 
using  current  technology;  using  200  digits  provides  a  margin  of  safety  against  future 
developments.  This  flexibility  to  choose  a  key-length  (and  thus  a  level  of  security)  to 
suit  a  particular  application  is  a  feature  not  found  in  many  of  the  previous  encryption 
schemes  (such  as  the  NBS  scheme). 

B  Computing  (f){n)  Without  Factoring  n 

If  a  cryptanalyst  could  compute  (f>{n)  then  he  could  break  the  system  by  computing  d 
as  the  multiplicative  inverse  of  e  modulo  (using  the  procedure  of  Section  VII  D). 

We  argue  that  this  approach  is  no  easier  than  factoring  n  since  it  enables  the 
cryptanalyst  to  easily  factor  n  using  (f>{n).  This  approach  to  factoring  n  has  not 
turned  out  to  be  practical. 

How  can  n  be  factored  using  First,  (p  +  q)  is  obtained  from  n  and  <f>{n)  — 

n  —  {p -\-  q)  Then  (p  —  q)  is  the  square  root  of  (p  +  q)^  —  4n.  Finally,  q  is  half  the 
difference  of  (p  +  q)  and  {p  —  q)- 

Therefore  breaking  our  system  by  computing  (f>{n)  is  no  easier  than  breaking  our 
system  by  factoring  n.  (This  is  why  n  must  be  composite;  (f>{n)  is  trivial  to  compute 
if  n  is  prime.) 

C  Determining  d  Without  Factoring  n  or  Computing 

Of  course,  d  should  be  chosen  from  a  large  enough  set  so  that  a  direct  search  for  it  is 
unfeasible. 

We  argue  that  computing  d  is  no  easier  for  a  cryptanalyst  than  factoring  n,  since 
once  d  is  known  n  could  be  factored  easily.  This  approach  to  factoring  has  also  not 
turned  out  to  be  fruitful. 

A  knowledge  of  d  enables  n  to  be  factored  as  follows.  Once  a  cryptanalyst  knows  d 
he  can  calculate  e  •  d  —  1,  which  is  a  multiple  of  (ji(n).  Miller  [6]  has  shown  that  n  can 
be  factored  using  any  multiple  of  <f>{n).  Therefore  if  n  is  large  a  cryptanalyst  should 
not  be  able  to  determine  d  any  easier  than  he  can  factor  n. 
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A  cryptanalyst  may  hope  to  find  a  d'  which  is  equivalent  to  the  d  secretly  held  by 
a  user  of  the  public-key  cryptosystem.  If  such  values  d'  were  common  then  a  brute- 
force  search  could  break  the  system.  However,  all  such  d'  differ  by  the  least  common 
multiple  of  (p  —  1)  and  (q  —  1),  and  finding  one  enables  n  to  be  factored.  (In  (3)  and 
(5),  (f>{n)  can  be  replaced  by  lcm(p  —  l^q  —  1).)  Finding  any  such  d'  is  therefore  as 
difficult  as  factoring  n. 

D  Computing  D  in  Some  Other  Way 

Although  this  problem  of  “computing  e-th  roots  modulo  n  without  factoring  n”  is 
not  a  well-known  difficult  problem  like  factoring,  we  feel  reasonably  confident  that  it 
is  computationally  intractable.  It  may  be  possible  to  prove  that  any  general  method 
of  breaking  our  scheme  yields  an  efficient  factoring  algorithm.  This  would  establish 
that  any  way  of  breaking  our  scheme  must  be  as  difficult  as  factoring.  We  have  not 
been  able  to  prove  this  conjecture,  however. 

Our  method  should  be  certified  by  having  the  above  conjecture  of  intractability 
withstand  a  concerted  attempt  to  disprove  it.  The  reader  is  challenged  to  find  a  way 
to  “break”  our  method. 


X  Avoiding  “Reblocking”  When  Encrypting  A  Signed 
Message 

A  signed  message  may  have  to  be  “reblocked”  for  encryption  since  the  signature  n  may 
be  larger  than  the  encryption  n  (every  user  has  his  own  n).  This  can  be  avoided  as 
follows.  A  threshold  value  h  is  chosen  (say  h  —  10^®®)  for  the  public-key  cryptosystem. 
Every  user  maintains  two  public  (e,  n)  pairs,  one  for  enciphering  and  one  for  signature- 
verification,  where  every  signature  n  is  less  than  h,  and  every  enciphering  n  is  greater 
than  h.  Reblocking  to  encipher  a  signed  message  is  then  unnecessary;  the  message  is 
blocked  according  to  the  transmitter’s  signature  n. 

Another  solution  uses  a  technique  given  in  [4].  Each  user  has  a  single  (e,n)  pair 
where  n  is  between  h  and  2/i,  where  h  is  a  threshold  as  above.  A  message  is  encoded 
as  a  number  less  than  h  and  enciphered  as  before,  except  that  if  the  ciphertext  is 
greater  than  h,  it  is  repeatedly  re-enciphered  until  it  is  less  than  h.  Similarly  for 
decryption  the  ciphertext  is  repeatedly  deciphered  to  obtain  a  value  less  than  h.  li  n 
is  near  h  re-enciphering  will  be  infrequent.  (Infinite  looping  is  not  possible,  since  at 
worst  a  message  is  enciphered  as  itself.) 


XI  Conclusions 

We  have  proposed  a  method  for  implementing  a  public-key  cryptosystem  whose  se¬ 
curity  rests  in  part  on  the  difficulty  of  factoring  large  numbers.  If  the  security  of  our 
method  proves  to  be  adequate,  it  permits  secure  communications  to  be  established 
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without  the  use  of  couriers  to  carry  keys,  and  it  also  permits  one  to  “sign”  digitized 
documents. 

The  security  of  this  system  needs  to  be  examined  in  more  detail.  In  particular, 
the  difficulty  of  factoring  large  numbers  should  be  examined  very  closely.  The  reader 
is  urged  to  hnd  a  way  to  “break”  the  system.  Once  the  method  has  withstood  all 
attacks  for  a  sufficient  length  of  time  it  may  be  used  with  a  reasonable  amount  of 
conhdence. 

Our  encryption  function  is  the  only  candidate  for  a  “trap-door  one-way  permuta¬ 
tion”  known  to  the  authors,  ft  might  be  desirable  to  hnd  other  examples,  to  provide 
alternative  implementations  should  the  security  of  our  system  turn  out  someday  to  be 
inadequate.  There  are  surely  also  many  new  applications  to  be  discovered  for  these 
functions. 
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